CISOs Share Top 10 Tips for Managing Vendors

Similar documents
CISOs Discuss Best Ways to Gain Budget and Buy-in for Security

SARS_ _ Page 1 of 6

Thank you so much for having me. I m really excited to be here today.

Transcript - Episode 2: When Corporate Culture Threatens Data Security

How To Increase Your Odds Of Winning Scratch-Off Lottery Tickets!

Jared Roberts (PelotonU)

Date. Hello, Good Afternoon and Welcome to Pegasus Racing! I cordially invite you to join me...

How to make more money in forex trading W. R. Booker & Co. All rights reserved worldwide, forever and ever and ever.

A: We really embarrassed ourselves last night at that business function.

A: I thought you hated business. What changed your mind? A: MBA's are a dime a dozen these days. Are you sure that is the best route to take?

Good CAD / Bad CAD. by Tony Richards

Jenesis Software - Podcast Episode 2

Wholesaling Mark Ferguson

Kim: Thank you Todd, I m delighted to be here today and totally looking forward to our conversation.

CISOs Share Advice on Managing Both Information Security & Risk

Secrets From OfflineBiz.com Copyright 2010 Andrew Cavanagh all rights reserved

Medical Malpractice VOIR DIRE QUESTIONS

PRE-TOURNAMENT INTERVIEW TRANSCRIPT: Tuesday, January 27, 2015

DESCRIBING OUR COMPETENCIES. new thinking at work

How to Flip Domain Names

Team Announcement Teleconference

How to Create Winning Joint Ventures

Equity Value, Enterprise Value & Valuation Multiples: Why You Add and Subtract Different Items When Calculating Enterprise Value

QUESTION # 1 As a sales person, what do YOU sell FIRST on a sales call?

Google Lead Generation for Attorneys

Real Estate Investing Podcast Episode # 74 The ABCs of Finding and Training a Virtual Assistant Hosted by: Joe McCall and Alex Joungblood

Google Lead Generation For Attorneys - Leverage The Power Of Adwords To Grow Your Law Business FAST. The Foundation of Google AdWords

Club Accounts Question 6.

Digital Marketing Manager, Marketing Manager, Agency Owner. Bachelors in Marketing, Advertising, Communications, or equivalent experience

O P T I M I Z I N G S A L E S F O R C E S. Sample Report. March 2004

How to Outsource Without Being a Ninnyhammer

NINE. Coaching Tips. for Sales Managers to Drive Better Sales Funnel Results

Entrepreneur Systems: Business Systems Development Tool

Show notes for today's conversation are available at the podcast website.

(404)

FREE REPORT: Don t Be Embarrassed It Is NOT Your Fault!


Forex Trading. What Finally Worked For Me

5IMPROVE OUTBOUND WAYS TO SALES PERFORMANCE: Best practices to increase your pipeline

The 4 Ways You Can. When A Realtor Can t Do The Job

Business Mastery: Smart Strategies Every Business Owner Needs to Promote, Protect and Prosper

Mark Minervini. Interview with Tim Bourquin

What college coaches think about recruiting

Acme Consultants Inc.

The Challenge of Helping Adults Learn: Principles for Teaching Technical Information to Adults

Introduction to Open Atrium s workflow

Filename: P4P 016 Todd: Kim: Todd: Kim:

0:00:29 Kim: Thank you Todd, happy to be here, looking forward to talking about selfdirected

story: I have no problem lending money to family & friends as long as I can afford it.

Providing Knowledge to Grow Your Practice 1

How to Choose the Right Web Site Design Company. By Lyz Cordon

Buying a Car. A Car Means Convenience. Which Car is Right for You?

Have Information to Make the Right Decisions!

This is Tray Thompson. Today we ll be having our first. webinar of the semester, Credit cards versus Debit

YOU WILL NOT BE EFFECTIVE READING THIS.

Thank you for purchasing Instant Mobile Lead Machine! You now hold. every single thing you ever need to do to make ridiculous money

How to Meet EDI Compliance with Cloud ERP

56 Key Profit Building Lessons I Learned from Jay Abraham s MasterMind Marketing Training.

The Trading Method That Proves Even a Beginning Trader Can Become a Profitable Trader in Just Hours by Trading with the Rhythm of the Market.

These Two Words Just Made Us 37% In 3 Months. "These Two Words. Just Made Us 37% In 3 Months"

Chapter 2. My Early Days Trading Forex

The Psychic Salesperson Speakers Edition

FREE SPECIAL REPORT WANT TO PROTECT YOUR FAMILY? WHAT YOU ABSOLUTELY, POSITIVELY HAVE TO KNOW WHEN BUYING CAR INSURANCE.


Voices of SLA. Miriam (Mimi) Drake (MD) Interviewed by Gail Stahl (GS) April 22, 2009

Automotive Selling Skills Course

LIST BUILDING PROFITS

Guide for Local Business Google Pay Per Click Marketing!

Styles of Leadership

Marketing 101: A Guide to Winning Customers

Seven Things You Must Know Before Hiring a Divorce Lawyer

Audience: Audience: Tim Sain: Audience:

DEFINITELY. GAME CHANGER? EVOLUTION? Big Data

Mastering Marketing Questions & Answers

Todd: Kim: Todd: Kim: Todd: Kim:

PHONE MARKETING SECRETS

Candidate Tips and Tricks

Bad Advisors: How to Identify Them; How to Avoid Them. Chapter 6. Fee-Only Advisors

Chapter 11. The Forex Trading Coach Is Born

Moving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips

How to Create a Diverse Marketing Plan Valtimax Radio. PO Box Aventura, FL

WELCOME! LETS BEGIN. James Marchant Founder of Diligence Digital

Home Buying Dos and Don ts

What is a day trade?

The 10 Critical Questions to Ask BEFORE Hiring A Financial Planner

Bankruptcy: Is It the Right Choice for You?

Jeff Mills' Outsource Secrets Revealed

So you've heard me talk about problems. We've gone through a bunch of different

Jenesis Software - Podcast Episode 3

The One Key Thing You Need to Be Successful In Prospecting and In Sales

"Breakthrough New Software Automates The Optimization Process To Get You A #1 Ranking - All With The Single Click Of A Button!"

Transcription:

CISOs Share Top 10 Tips for Managing Vendors Learn How Security Veterans Deal with Vendor Hype, Budgets and Relationships WISEGATE COMMUNITY VIEWPOINTS 222303 Ranch Road 620 South #135-165 Austin, Texas 78734 www.wisegateit.com

Introduction Choosing the right IT product is essential for the health of any company. This is particularly so in IT security, where an ever-changing threat and compliance landscape leads to the continuous evolution and need for new products and tools. Finding the right product at the right time is a complex endeavor but fundamentally success will be defined by how well the security practitioner manages the vendors and navigates the marketing hype to find the right solution. Like all security leaders, Wisegate CISO members face challenges selecting the right vendor and find benefits from the ability confer with others to get advice and learn from the experiences and successes of their peers. In this latest report, Wisegate makes available senior CISOs vendor experiences and recommended practices that are typically shared only between Wisegate members available to the broader Information Security community. This report features the latest practitioner tips that cover a critical aspect of their work, Managing the Vendor with advice in three key areas:» Managing the hype The first question to ask Is a new product really needed? Or would better use of existing or upgraded products fill the requirement? When new products are necessary, how do you find the right one? What role does the vendor play in this process? CISOs provide tips on how to find the right product for the job.» Managing the budget This is an often-overlooked area. All CISOs have a budget and all budgets are limited. But if the budget is gone when the need arises, it can lead to problems. Security veterans offer advice on budget management.» Managing the vendor relationship Products and tools are basically bought or licensed just once but the CISO s relationship with the vendor is an ongoing process. CISOs share strategies for getting the most from vendor relationships. Top 10 Tips for Managing Vendors 2

Managing the Hype The issue, said one security veteran from the insurance industry, is to buy a solution, not the hype. The problem becomes how to achieve this and viewpoints ranged from ignoring new vendor phone calls to working more closely with existing suppliers, and concentrating on threat awareness and new product research. Hype often comes from new companies with new solutions they need to make a lot of noise to get heard. One CISO said she simply ignored all cold calls from vendors. I know that's going to sound a little cold, she said, but listen, we re all busy. I m not going to take those cold calls. I actually let my phone ring and if it's important, they'll leave a message." Top CISO Tips» Make sure you need the product in the first place it could be that an update or add-on to an existing product will suffice.» Don t automatically seek the product with all the latest bells and whistles how a product integrates into your existing architecture can be more important.» Find out what you need from research and talking to other IT leaders, and then ask the vendor to confirm your understanding.» Don t be afraid to ask unusual questions the answers are likely to be all the more instructive. Better integration of existing products can be better than more new products A Director of InfoSec from a Fortune 100 company explained that he would prefer to eliminate a few of his existing vendors, and is not really interested in working with new ones. I counted up the different vendors and we had over 40 different security vendors. That makes it difficult to establish any real strategy cohesion and interfacing between the vendors. His plan is to minimize the number of vendors by concentrating on those that are working well. Over time, he said, he s hoping to have a smaller contingent of vendors each doing more. And although he accepts that he may have to sacrifice the best possible point Wisegate Member Viewpoints 3

products in some areas, he hopes that the synergy inherent in better product integration will lead to a better overall solution and architecture. Another security veteran from the defense industry supported this idea that better use of existing products should be tried before looking at new products. Last year, he explained, we looked at our suite of tools and we said, we've got too much overlap here. We're using 30% of the capabilities of this tool, 80% of this and only 5% of this tool. Subsequent requirements mapping against capabilities allowed him to get rid of two of the tools, noticeably reducing costs and complexity. Make better use of the vendor relationships you already have A CISO from the health care industry articulated what many considered a common mistake: when a new trend is spotted and a solution sought, many companies go straight to the outside market looking for the newest vendors with the latest products. That s a mistake, he suggests, because the company s existing vendors and products are maturing all the time with new updates to solve the latest problems. Hopefully, he adds, I can go into my legacy tools and find that my existing vendors have updates or add-ons that will address the new issues. Only if this fails, he says, will he look at new vendors but even then (echoing the views of others) the secret is not necessarily to look for the absolute best possible point solution, but to find one that integrates into his existing architecture. What I don t want, he explained, is a bunch of disparate tools that don't integrate with each other and cause my cost-ofadministration to go through the roof or to have so many people on board that we start having miscommunications between what the tools are trying to tell us. Consult others in your network There comes a point where better use of existing resources won t solve the problem and a new vendor is needed. But somewhat reluctantly, the vendor is the last person approached. Internal resources tend to be the first port of call. One CISO is lucky enough to have an internal vendor management team and that s where he starts. A senior security manager who works for a global electronics manufacturer pointed out that his security team does all the monitoring, setting policies, defining requirements, while IT has to make it all work. So he consults it s teamwork, he says. I'll give them a couple vendors maybe, or types of tools I d like and I let them decide which one they can manage the best. If I can get a buy-in from them, then I know it s going to be a successful project. Top 10 Tips for Managing Vendors 4

One CISO works in higher education, and doesn t have a team for consultative support. Instead, he said, we go and talk to other schools in our local area. When he says local area, he means Texas and New Mexico. If we find that one or two or maybe even three vendors are popular with a lot of schools, then those are the ones that we start looking at. But if everybody has different vendors, then that makes our research a little harder and we actually will make a determination as to who we're going to meet. Stay up-to-date on trends and technologies In the final analysis, there must be some research but the vendor is often the last person approached. A senior security practitioner said, I still wrestle with what silver bullets are out there that I don't know about so I try to grab reports that provide roundups on the cool vendors. SC Magazine does a great job of comparing vendors so I try to stay on top of that. The competitive reports for specific capabilities help make sure that I m using the right product, and SC Magazine does a great job of benchmarking as well. I m big on research, said another CISO. I do lots of independent research before I even talk to a vendor, he said. I want to know what their product does before they try to tell me what it does. This allows me to ask more intelligent questions, and see through the hype. Just one CISO working in the government sector bucked the trend and took the phone call from the vendor right at the beginning but this was his primary way of doing the research. I let them describe the product to me briefly and if it's something that interests me, I will take the call. I even do a webinar on occasion just to keep up with some of the trends. I do read magazines and reports as well but sometimes seeing it on the screen actually makes a difference. Ask vendors the tough questions to get the right answers Finally, the vendor might be asked to the table but it s not yet to sign a contract. I ask them two questions, said one CISO: What is your cost model and who are your competitors? The cost question is purely practical. I want to know if it s sold by seat or enterprise license or one-time cost because it s going to color how I think about implementing it. If it s by seat, then, I may think, OK, I might put this out for directors and above. If enterprise is the default, then it will fit into my architecture differently. The competitor question is more esoteric. I want to know if they re aware of their competitors and are willing to compare strengths and weaknesses because it may save me time in my own research. But if I do research and find they weren t being upfront with me, it doesn t bode well for an ongoing relationship. Wisegate Member Viewpoints 5

Another CISO from a large industrial manufacturing company takes disruptive questioning even further. It s like when you go to a restaurant and ask, What s the least popular dish? I take a similar approach with vendors. When are you not good? What do you do worse than your competitor? If you ve done your research with Gartner or SC Magazine you can gauge the honesty of the vendor s reply. And that in turn will help you judge whether any relationship will work on the personal level rather than just the technology level. Managing the Budget Handling a security budget is a tricky business. In most other areas, conventional wisdom says that you should always use 100% of your available funds anything less might persuade management to think you don t need so much next year. But if you get caught short in a security emergency with no budget, going cap-in-hand to the board does nothing for your credibility. Top CISO Tips» Avoid overspending to build credibility and fund those unexpected emergencies that inevitably arise.» Be upfront with vendors when budget is a problem they may be able to offer a creative solution in exchange for a long-term deal. Question the use-it-or-lose-it standard thinking One CISO was quite forthright. The practice that I've adopted is to avoid spending my whole security budget, she explained. When I follow this practice, the executives realize that I ll only spend the money that I need to accomplish reducing the risk and affording compliance for all of the requirements. She adds, Of course, if I use it, I use it but if not that ends up serving me well in the long term. The result, she says, is that if an emergency comes up that's not covered by my budget and I have to go in to the board and ask for an exception to that budget spending, then they re going to trust that I really need it because I m not just out buying the latest and greatest gadget. Top 10 Tips for Managing Vendors 6

Put the budget ball in the vendor s court One security veteran suggested putting the ball in the vendor s court. Be honest with them, he suggested. Let them know your budget. But also let them know they re in for the long run if you can reach agreement. Managing the Vendor Relationship Once a product is purchased, the relationship with the vendor changes effective management skills become key to success. Hold them accountable to what they promised, said one CISO. But that being said, she added, and be respectful. She gave an example in which she asked the vendor to help her ensure that a GRC implementation was successful. If the vendor steps up, be an honest reference for them. It leads to a great working relationship if the vendor knows he can call on you having gone through the trenches and can truly speak from the heart." Top CISO Tips» Demand what you pay for, and say thank you when you get it.» Work on continuing the vendor relationship, but stay in charge, control and own it. Demand the best, get what you re promised Another of the security veterans explained how to be strong, but fair in more detail. "One vendor was providing really bad support so I went to the managing director and said, 'Hey, I don't want this guy any more. He's not giving us what we paid for.' Well, they found us someone else, and the new guy is much, much better. So I said, 'Anything that needs touching, I only want this guy to touch it,' (it was actually to tune up our SIEM). And that's the only guy we'll accept now." But, he added, the converse also applies. "This guy was good," he explained, "so I phoned and emailed his managing director, 'This guy's really good I think you have a winner here.' Wisegate Member Viewpoints 7

You have to confront them when necessary, but give them the kudos when earned I really believe in that." The flipside must also apply. A good working relationship is two ways. "I tell them, 'Hey, if you're not getting the support from my team or the IT team if they're not answering emails or they're not coming to conference calls let me know so I can address it at my end.' It s two ways." Vendor accountability is always important and should be demanded. "You need that good working relationship," said another senior security manager. But then you have to be honest and you have to hold the vendor to the agreed statement of work (SOW). "We always get a SOW," he said, "and I hold the vendor to it. At the end of a project I want a report that provides all the answers and doesn't ask any questions. I think it is important to demand that." The best benefits are mutual benefits If you can get that good working relationship, it can benefit both sides. "I like to establish long term relationships with my vendors," commented a CISO working for state government. "The one I use now I've had for seven years." Over that length of time mutual trust can develop. "This vendor," he said, "is not necessarily the most technical vendor around; as a VAR he's not strong in the 'V' part." But, and this is the point, the CISO can go to his VAR and say, "Look, here's the problem we got. Can you solve it? And if you can't solve it yourself, can you find me someone who can?" The value here is that the VAR is likely to have a better understanding of the market than the practitioner, and can provide huge savings in both time and money. "Without this involvement, I can work out what I need, but I have to go to an RFP and when I have to publish, review, evaluate and everything else that comes with an RFP, I'm looking at three to six months before I even get into contract negotiations." It's different when you can delegate some of that effort. "I have a VAR that can actually assume some of that contract responsibility because I already have a contract with him." He gave an example. "The last time I had to negotiate a contract with Dell, back in 1999, it took me two years. Now, if I want to buy a product from Dell I use my VAR. He accepts Dell's terms, but he also accepts mine because we already have a contract he becomes the intermediary." That's not to say he takes over support responsibility for the original manufacturer. "Sometimes I go to the VAR, sometimes I go to the manufacturer. But most of the time I use Top 10 Tips for Managing Vendors 8

the VAR as a purchasing vehicle and a contract negotiation or expediting vehicle, while all of our communication will go straight to the manufacturer." Be reasonable with vendor gift policies There s one other area that comes under the general concept of vendor relationships, and that s vendor gifts. Are they purchasing incentives? Providing a subtle way for the vendor to control the relationship? Or are they a simple thank you that oils the wheels of business? Wisegate asked its members two basic questions on their attitude towards accepting gifts and favors from vendors. What s your company s policy about accepting gifts or favors from vendors? Wisegate Member Viewpoints 9

What is your opinion about strict policies against accepting anything from vendors? The general feeling seems to be that vendor gifts are okay, within limits; that they should be neither fully accepted nor completely rejected. Most companies set a dollar value on acceptable gifts and it s worth noting that apart from potential tax implications, some countries such as the UK have strict bribery laws where an expensive gift could be interpreted as a bribe, creating problems for both giver and receiver. In our opinion, commented one security practitioner, an outright prohibition of vendor gifts is not reasonable. Our policy sets a dollar value limit for individual gifts, events and favors. And this works well for us. Another pointed out that the US Government and many large corporations allow a reasonable limit on gifts, usually in the $50-$100 range. This lets employees say no to the outrageous stuff, while not getting into an occasional lunch/dinner situation where they have to pay out of pocket or get manager approval after the fact. Generally, said another, our rule is that if the gift has a value of over $25 then it must be refused or given to a staff member in a way that removes any bias. He gave an example. If we were to get tickets to a sports game, we would either refuse them outright or we would draw names out of a hat and select who would receive them that way. Top 10 Tips for Managing Vendors 10

In Closing... Managing the relationship with vendors is a tricky, but essential, business. The first job is to find the right vendor and this means getting beyond the hype to find the right solution. Managing budgets to afford the product is not really seen as a problem: CISOs either have the budget or they don t have the budget. It s not so much a problem as a fact of life. But while buying a product is a limited event, the ongoing relationship with the vendor is where the true value is found, and is almost always where the greatest effort needs to be spent. Being part of the Wisegate expert network keeps senior IT practitioners abreast of evolving strategies and informed on which approaches their peers find effective. In-depth discussions on the challenges and strategies that can be used to forge productive relationships with vendors and other related issues continue online at www.wisegateit.com. Wisegate is an IT expert network and information service that provides senior-level IT professionals with high quality research and intelligence from the best source available the collective knowledge of IT leaders from across the industry. Through live roundtable discussions, detailed product reviews, online Q&A and polls, and timely research reports, Wisegate offers a practical and unbiased information source built on the real-world experience of veteran IT professionals. No analyst theories or vendor bias to cloud the information, just clear and straightforward insight from experienced IT leaders. Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership. 2303 Ranch Road 620 South #135-165 Austin, Texas 78734 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com 2013 Wisegate. All rights reserved. Wisegate Member Viewpoints 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information